One of the most popular Android file sharing apps has several vulnerabilities that haven’t been fixed by its developers for over three months, new research has claimed.
Security researchers at Trend Micro discovered the shortcomings in the ShareIT app that if exploited, can not only leak a user’s sensitive data, but can also execute arbitrary code on the device.
More worryingly, the vulnerabilities were brought to the attention of the app’s publishers over three months ago, but have seemingly decided to ignore the report.
Improper defaults
“We reported these vulnerabilities to the vendor, who has not responded yet. We decided to disclose our research three months after reporting this since many users might be affected by this attack because the attacker can steal sensitive data and do anything with the apps’ permission,” noted Trend Micro in its report.
Even more worryingly, the researchers add that any attacks launched by exploiting these vulnerabilities will be hard to detect as they masquerade the legitimate operations of the app.
While discussing the vulnerabilities in detail, the researchers say that the flaws exist because the app implements its sharing functions with improper settings that leave it prone to abuse.
The researchers were able to successfully exploit the vulnerabilities with a proof-of-concept app to gain temporary read/write access to the data on the device, and even managed to run arbitrary code on the device.
Since ShareIT’s developers failed to respond to the researchers, they’ve also brought it to the attention of Google – however, there has been no response as yet, and the app still continues to be listed on the official Android Play Store.